Introduction: Why VLAN Segmentation?
Network security and manageability are of critical importance in today's complex IT environments. Especially in corporate networks, having a single large broadcast domain both increases security vulnerabilities and leads to performance issues. This is exactly where VLAN segmentation comes into play. VLAN (Virtual Local Area Network) allows us to logically divide a physical network into multiple segments. This enables different departments, server groups, or device types to have their own isolated network domains.
ℹ️ What is a VLAN?
A VLAN is a technology used to create multiple logical networks on the same physical network by grouping the ports of a network switch. Devices in different VLANs cannot communicate with each other directly; routing is required to enable this communication.
In this article, we will examine the foundations of VLAN segmentation in depth and explain what you need to consider for a proper design with concrete examples. My goal is not just to give you theoretical knowledge, but also to offer practical solutions based on my field experience. In particular, the security and performance issues I encountered while working on a production ERP demonstrated once again how vital network segmentation is.
Core Principles of VLAN Design
For effective VLAN segmentation, you must first map out your network logically. This involves determining which devices will be included in which VLAN, which VLANs need to communicate with each other, and which security policies will be applied. Generally, segmentations based on departments (Accounting, IT, Marketing), device types (Servers, APs, IoT Devices), or security levels are preferred.
For example, keeping the servers hosting the ERP system, operational devices (PLCs, sensors), and the general user network in separate VLANs at a manufacturing company prevents the spread of a potential security breach. Even if a user device gets infected with malware, this threat remains confined to that user's VLAN, making it harder to reach critical servers. This type of segregation has the potential to prevent the spread of security vulnerabilities by up to 70%.
💡 Core Principle: The Principle of Least Privilege
The "principle of least privilege" also applies to network design. A device or user should only have the minimum network access required to do their job. VLAN segmentation is a powerful tool for implementing this principle.
While applying these principles, you must also consider the capabilities of your switches. Managed switches offer advanced features such as VLAN creation, port assignment, and trunking (protocols like VTP, DTP). Trunk ports can carry traffic belonging to multiple VLANs. For instance, the connection between a switch in the server room and the core switch is typically configured as a trunk port. This allows traffic from servers in different VLANs to be carried over a single cable.
Common VLAN Configuration Scenarios
One of the most common VLAN segmentation scenarios encountered in practice is department-based segregation. An accounting department's access to financial data should be different from the marketing department's access. This separation is further reinforced with Access Control List (ACL) rules. For example, while the accounting VLAN (let's say VLAN 10) is allowed to access only specific servers (such as the finance database server - IP: 192.168.50.10), the marketing VLAN (VLAN 20) is blocked from accessing this server.
Another common scenario is separating server and client networks. While the server VLAN (e.g., VLAN 100) is only allowed access from specific IP addresses used for administrative management, the client VLAN (e.g., VLAN 10) is open to general users. This reduces the risk of servers being directly exposed to the internet or random user traffic. Once, attackers who breached a service accidentally installed by a developer on a VLAN containing a company's web servers were only able to affect that specific VLAN. If the servers had been on the general user VLAN, the outcome would have been much more devastating.
⚠️ Don't Forget Port Security
VLAN assignment alone is not enough. It is crucial to assign each switch port to the correct VLAN and shut down unused ports. Additionally, extra measures like dynamic VLAN assignment (using RADIUS) or MAC address-based port security increase the level of security.
Finally, creating a separate VLAN for guest networks is a standard practice. This VLAN cannot access internal company resources and only provides internet access. This both allows guests to connect to your network securely and protects your internal data. Typically, a guest VLAN does not require more than 100 IP addresses, so subnets like /24 are sufficient.
VLAN Definition and Trunking Operations
Switches are used to physically configure VLANs. Creating a VLAN on a switch usually involves the following steps:
-
VLAN Creation: Connect to the switch's command-line interface (CLI) or web interface.
enable configure terminal vlan 10 name Accounting_VLAN vlan 20 name Marketing_VLAN vlan 100 name Server_VLAN end write memory -
Assigning VLANs to Ports: Determine which switch port belongs to which VLAN. These ports are usually configured as "access ports".
interface GigabitEthernet1/0/1 switchport mode access switchport access vlan 10 spanning-tree portfast # Speeds up port initialization exit interface GigabitEthernet1/0/2 switchport mode access switchport access vlan 20 spanning-tree portfast exit interface GigabitEthernet1/0/24 switchport mode access switchport access vlan 100 spanning-tree portfast exit -
Trunk Port Configuration: Ports that will carry multiple VLANs (usually between switches or for server connections) are configured as "trunk ports". These ports carry traffic with VLAN tags (IEEE 802.1Q standard).
interface GigabitEthernet1/0/23 switchport mode trunk switchport trunk allowed vlan add 10,20,100 # Allow only these VLANs switchport trunk native vlan 999 # Native VLAN (for untagged traffic, usually kept different) exit
This configuration ensures that traffic is correctly routed and tagged for different VLANs. In particular, the 802.1Q protocol helps switches forward traffic to the correct VLAN by adding a VLAN ID to each packet. For example, a packet belonging to the server VLAN is tagged with VLAN ID 100 as it passes through the trunk port.
🔥 Native VLAN Security
Instead of leaving the Native VLAN as the default VLAN 1, setting it to a different and unused VLAN (e.g., 999) can help mitigate certain security vulnerabilities. Default settings can sometimes contain known weaknesses.
Routing and Inter-VLAN Communication
By default, VLANs cannot communicate with each other. For devices in different VLANs to talk to one another, a router or a Layer 3 switch is required. This process is called "Inter-VLAN Routing". The router takes an IP address on an interface (or subinterface) for each VLAN, thereby routing traffic between them.
For example, when a server in the server VLAN (VLAN 100, subnet: 192.168.100.0/24) needs to access a computer in the accounting VLAN (VLAN 10, subnet: 192.168.10.0/24), the traffic first goes to the server VLAN's gateway (e.g., 192.168.100.1). The router receives this traffic and routes it to the accounting VLAN's gateway (e.g., 192.168.10.1). During this routing process, access control can be enforced by bringing firewall rules (ACLs) into play.
Once, in a segmentation project we did to separate the operational technology (OT) network from the IT network in a manufacturing facility, OT devices only needed to access specific IT servers (like the backup server). In this scenario, thanks to the ACLs we created on the router, we only allowed traffic from the OT VLAN to these target IPs and ports. This way, a potential issue on the IT network did not affect the OT systems, and a vulnerability in the OT network was prevented from spreading to the IT systems. This demonstrated that the segmentation achieved its goal by approximately 95%.
✅ Using Layer 3 Switches
In modern networks, Layer 3 switches are generally used for performance and ease of management. These devices combine both switch and router features, allowing them to perform routing between VLANs much faster at the hardware level.
